If your business depends on computer systems in any way, you need to understand cyber risks and how they can impact your business. A cyber loss could leave you financially responsible for consumer losses and hurt your business operations. We'll explain the different types of cyber risks and what you can do to reduce them.
What is cyber risk?
Cyber risk is the threat of data loss, property destruction or ransom demands resulting from a hack of your IT systems. Cyber risks can result in a financial loss or disruption to your business. They can also harm your company's reputation if consumers don't feel their information is secure. Cyber risks can lead to system failure or the unauthorized use of information.
If an unauthorized person gains access to your computer system and databases, they can halt your operations or steal information unless you pay a ransom. This is why you need to have the right cybersecurity.
FYI: Any business that uses online systems for operations or data storage is susceptible to cybercrimes.
What is the financial impact of cyber risk?
The impact of cyber risk to a company is huge. Even a small attack can lead to a company needing to pay for lost or stolen data records, with an average cost of $150 per stolen data record. According to research by IBM, the average cost of a data breach in the United States was $8.64 million in 2020.
Even if the loss numbers are not as high for a small business, the impact could be lost revenue from an operating system being shut down for days or weeks. Even after the business restores all systems, consumers may be wary of working with a company that recently experienced a data breach or cyberattack, afraid that their personally identifiable information (PII) is not safe.
Who commits cybercrimes?
Cybercriminals come from various backgrounds. Some cybercrimes are committed by former employees looking to get revenge on a business that fired them. You can prevent this type of crime by revoking system access as soon as an employee is terminated.
Sometimes attacks come from industry competitors trying to put your business in a negative light. There are also activist organizations that believe they are helping society by hacking and harming certain businesses.
Some security risks simply arise from careless mistakes made by employees, especially those who work for companies that haven't implemented the right policies and training. A prime example occurred in 2016, when a massive phishing attack hit Hillary Clinton's campaign and workers fell for the scam.
Still, the majority of cybercrimes come from those who intend to profit from hacking by such actions as selling data on the dark web, demanding a large ransom or funneling credit card transactions to a third-party account that they control.
What are the types of cyber risks?
Cyber risks are not limited to external threats from bad actors. A business must also deal with internal threats that can compromise data or systems. It's important to plan for both.
Internal cyber risks
While most employers want to believe that employees are trustworthy, there are several types of internal risks. These stem from either an employee or former employee who has access to systems and can use the access in an adversarial way.
These are some common internal cyber risks:
- Employee sabotage and theft: This may be from a current or former employee who accesses systems to obtain information to harm the company. Some information may be used to poach employees, while other information could harm the company by disclosing private information in public forums.
- Unauthorized access: Employees could obtain access to systems they shouldn't have access to. They may change the permissions of others or deactivate network security tools.
- Unsafe business practices: When network servers are left in unlocked rooms or users are not properly logging off of devices, businesses are left vulnerable to attack.
- Accidental loss or disclosure: Employees may unwittingly disclose information. This could be by accidentally adding an unauthorized person to a confidential email chain or leaving a company laptop at a coffee shop.
Tip: Conducting background checks on potential new hires can reduce your internal cyber risks.
External cyber risks
Businesses often must be most concerned with external cyber risks where bad actors seek to illegally use data or halt business operations. It's often hard to tell where external cyber risks come from.
These are some common external cyber risks:
- Malware attacks: These are viruses that attack your systems and can potentially execute unauthorized actions.
- Phishing schemes: Nefarious individuals send fraudulent messages so that employees click on them and disclose personal or proprietary information such as passwords and payment details.
- Malvertising: This is a type of malware that redirects users to malicious websites. Code is deployed on a publisher's website that mines data about users for further ad targeting.
- DDoS attacks: A distributed denial-of-service (DDoS) attack disrupts the normal traffic to a website. This is a type of malware where a botnet overwhelms your website and prevents consumers from using it.
- Ransomware: This is a type of malware that locks up system operations and renders websites and systems unusable until the ransom is paid. This is becoming more common, as many insurance carriers find that paying the ransom is less expensive than remediating the attack.
In 2021, the Colonial Pipeline, which is responsible for providing oil to the Southeastern U.S., was hit with a ransomware attack. This is believed to be the work of the Russian criminal group known as DarkSide. By shutting down the pipeline, the group succeeded in triggering mass panic about a gas shortage. DarkSide was paid a ransom of approximately $2.3 million in bitcoin.
FYI: Conducting a cyber risk assessment and consulting an IT professional can help you understand your vulnerability to a cyberattack.
How to reduce your company's cyber risks
A good plan is the best defense against cyber risks. While you can't prevent every cybercrime, you can do a lot to make sure that your business is not harmed. Here are nine ways to reduce your company's cyber risk:
- Update your computer systems and security programs. When you don't update, gaps begin to form that allow things like malware to infiltrate your system. Make sure your antivirus security is up to date, and regularly update your operating system to prevent these gaps from forming.
- Protect outbound data. Most business owners protect themselves only from data coming in. You should also protect outgoing data to prevent the accidental release of sensitive data by employees.
- Train your employees. Make sure your employees understand what security risks exist and how to be on the lookout for them. This is especially true for things like phishing schemes that may be received by gullible employees who haven't been trained to not click on links.
- Develop strong passwords. Create complex passwords that cannot be guessed. Make sure that your system administrator's password is different from the server's password. You don't want to make it easier for hackers to get access to the entire server.
- Encrypt data. When sending or storing data, encrypt it. This means that data isn't saved in a normal text format.
- Limit login attempts. Hackers will use bots to work on passwords indefinitely. You can stop them by limiting the number of login attempts allowed to access data or server systems.
- Implement a kill switch. A kill switch allows an IT professional to shut down all access to servers or pull websites offline when a threat is detected. This gives you time to address the threat before it can do any damage.
- Don't store credit card information. Don't risk a hacker collecting your customers' credit card data. Never store this information in any database that you maintain, and enact strict policies so that your employees never do it either.
- Back up your data regularly. Take the time to have regular data backups. This will make restoration much easier if you do fall victim to a cyberattack.
How cyber liability insurance can help
Since you can't predict if and when a cyberattack will occur, it makes sense to have cyber liability insurance. A cyber liability policy will pay for financial losses stemming from:
- Business interruption costs
- Ransom demands
- Investigating the attack
- Hiring a PR firm to deal with the fallout
- Regulatory fines
- Custom notification costs (which can range from 50 cents to $5 per person)
- Consumer credit monitoring (which can range from $10 to $30 per person)
- Legal defense and any judgments or settlements
On top of paying for losses and damages, many insurance cyber loss teams will help a business remediate the losses as quickly as possible. This means they use their internal teams to help halt the progress of viruses and malware, with the goal of minimizing the ultimate loss to both your business and to the insurer.
FYI: You can learn more about top options for cyber insurance in our review of CNA and our review of Chubb.
Can you be penalized for cyberattacks?
The Federal Trade Commission is tasked with protecting America's consumers, and it's every business owner's responsibility to make sure that consumer data is protected. If it isn't, you may be held liable and face the risk of fines and even, in egregious cases, jail time.
The FTC recommends that business owners assess the types of information they collect and keep, keep only what is necessary, and lock that data either electronically or physically. When the information is no longer needed, discard it by shredding it or through using a data-deletion service.
It isn't just the FTC fines that a business has to deal with in the event of a data breach. You may face these additional penalties:
- Fair and Accurate Credit Transaction (FACTA) fines of up to $2,500 per violation at the federal level and up to $1,000 at the state level
- Civil penalties of up to $3,500 per violation
- HIPAA penalties of up to $50,000 per violation for erroneous disclosures and up to $50,000 plus one year in prison for criminal wrongful disclosures
These are just a few of the penalties businesses could face from a data breach. Most small businesses can't afford these types of fines. They could lose an estimated 20% to 30% of their consumer base from a data breach. Keeping consumer data private and having insurance to help protect against financial losses are critical in the digital age.